You are here: Re: Format of session id and $_SERVER['REMOTE_ADDR'] « All PHP « IT news, forums, messages
Re: Format of session id and $_SERVER['REMOTE_ADDR']

Posted by Markus on 02/07/07 14:53

Jerry Stuckle schrieb:
> J.O. Aho wrote:
>>> To be honest, I never understood what is the point in collecting this
>>> value at all, it just had been there in the first sample script I got
>>> from my first PHP teacher years ago...
>>
>> The vast majority of users will have one and the same IP-number each
>> time they request a page during the same session, so you can use that
>> ip-number to check if the request comes from the same machine or not,
>> it you get another ip, you can assume that someone has managed to
>> sniff the session id and trying to take over that session, then you
>> could terminate the session and request for the user to login once more.
>>
>
> Mostly true. But man users can change IP addresses each time because
> they are using a pool of proxy servers. AOL is a great example of this,
> but there are others.
>
> And most corporations have a firewall and everyone behind the firewall
> uses the same IP address. So you could have hundreds or even thousands
> of people using the same IP address.
>
>> If you feel it's overkill, then remove the whole thing, no point in
>> keeping a IP-number in a database if you not gona use it.
>>
>
> Sessions are not security. If you need security, use a secure protocol.
> Then you won't have a problem with sniffing session id's.

These are interesting points. The application is intended to be used in
various shared-hosting based environments; the choice of the protocol is
not part of it. But I just thought about introducing some kind of
low-level security by adding an ip check as an option, which can be
turned off if the administators work in an environment where the ip is
likely to change during the session.

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация